Re: [Freeipa-users] Question About Properly Configuring DNS
On 27.10.2014 19:15, Simo Sorce wrote: On Mon, 27 Oct 2014 17:50:13 + "Trevor T Kates (Services - 6)" wrote: -Original Message- From: Simo Sorce [mailto:s...@redhat.com] Sent: Monday, October 27, 2014 12:30 PM To: Trevor T Kates (Services - 6) Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] Question About Properly Configuring DNS On Mon, 27 Oct 2014 14:07:42 + "Trevor T Kates (Services - 6)" wrote: Hi, all: I have four servers (two in one location, two in another) running IPA 3.0 set to replicate like so: Location A Server 1 - - - - - - - - Location B Server 1 || || || || Location A Server 2 - - - - - - - - Location B Server 2 Each server has DNS configured; however, I think I have configured something inappropriately with respect to authoritative records. I have eight zones configured and ipa dnszone-show for any one of them has Location B Server 1's name as authoritative. In each of the eight zones, I have added NS records for the other three servers. On all of the servers except Location B Server 1, /var/log/messages will show: client x.xxx.x.xxx#14366: received notify for zone 'x.xxx.x.in-addr.arpa': not authoritative This occurs for most, but not all, zones. Along with this: LDAP query timed out. Try to adjust "timeout" parameter update_record (psearch) failed, dn 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com' change type 0x0. Records can be outdated, run `rndc reload`: not found I feel like I've misconfigured a few things along the way and I'd love some help. Along with that if anyone has recommendations on things I should read to help me better understand what I should be doing with DNS, I'd appreciate it. Uhmm sounds like a bug in reloading the info in the bind ldap plugin. Can you restart named on one of the other servers and tell if the warning goes away and/or if the client returns that server as authoritative after the bounce ? Simo. -- Simo Sorce * Red Hat, Inc * New York Upon restarting named, 'not authoritative' is not present for any of the zones and dig on clients shows all of the servers as authoritative. The restart of named did not always go cleanly, however. Sometimes, the same timeout issue as before would present itself. Should I not worry about those? Ok would you be able to opne a bug (bugzilla or trac, either is fine) for the 2 issues ? One seem to be that changing the NS record is not causing a proper change in authoritative status. The second should be about the timeout error you are seeing. Please keep in mind that bind-dyndb-ldap just reads data from LDAP so naturally changes done in LDAP are not visible in DNS if directory server is not working properly. Default LDAP search timeout used by bind-dyndb-ldap is 60 seconds which is *a lot*, i.e. it should not happen at all. I would recommend you to dig in directory server logs /var/log/dirsrv/ to see if there is a problem before you open a bind-dyndb-ldap bug - I would point you to DS logs anyway :-) Do you see high CPU/memory utilization or something like that? Does the LDAP server respond to normal LDAP query when you see messages like "LDAP query timeout"? Which version of bind-dyndb-ldap and 389-ds-base do you use? -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Question About Properly Configuring DNS
On Mon, 27 Oct 2014 17:50:13 + "Trevor T Kates (Services - 6)" wrote: > > -Original Message- > > From: Simo Sorce [mailto:s...@redhat.com] > > Sent: Monday, October 27, 2014 12:30 PM > > To: Trevor T Kates (Services - 6) > > Cc: freeipa-users@redhat.com > > Subject: Re: [Freeipa-users] Question About Properly Configuring DNS > > > > On Mon, 27 Oct 2014 14:07:42 + > > "Trevor T Kates (Services - 6)" wrote: > > > > > Hi, all: > > > > > > I have four servers (two in one location, two in another) running > > > IPA 3.0 set to replicate like so: > > > > > > Location A Server 1 - - - - - - - - Location B Server 1 > > > || > > > || > > > || > > > || > > > Location A Server 2 - - - - - - - - Location B Server 2 > > > > > > Each server has DNS configured; however, I think I have configured > > > something inappropriately with respect to authoritative records. > > > > > > I have eight zones configured and ipa dnszone-show for any one of > > > them has Location B Server 1's name as authoritative. In each of > > > the eight zones, I have added NS records for the other three > > > servers. On all of the servers except Location B Server > > > 1, /var/log/messages will show: > > > > > > client x.xxx.x.xxx#14366: received notify for zone > > > 'x.xxx.x.in-addr.arpa': not authoritative > > > > > > This occurs for most, but not all, zones. Along with this: > > > > > > LDAP query timed out. Try to adjust "timeout" parameter > > > update_record (psearch) failed, dn > > > 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com' > > > change type 0x0. Records can be outdated, run `rndc reload`: not > > > found > > > > > > I feel like I've misconfigured a few things along the way and I'd > > > love some help. Along with that if anyone has recommendations on > > > things I should read to help me better understand what I should be > > > doing with DNS, I'd appreciate it. > > > > Uhmm sounds like a bug in reloading the info in the bind ldap > > plugin. > > > > Can you restart named on one of the other servers and tell if the > > warning goes away and/or if the client returns that server as > > authoritative after the bounce ? > > > > Simo. > > > > -- > > Simo Sorce * Red Hat, Inc * New York > > Upon restarting named, 'not authoritative' is not present for any of > the zones and dig on clients shows all of the servers as > authoritative. The restart of named did not always go cleanly, > however. Sometimes, the same timeout issue as before would present > itself. Should I not worry about those? Ok would you be able to opne a bug (bugzilla or trac, either is fine) for the 2 issues ? One seem to be that changing the NS record is not causing a proper change in authoritative status. The second should be about the timeout error you are seeing. Thank you, Simo. > Thanks for your help! > > Trevor T. Kates > > > CONFIDENTIALITY NOTICE: This electronic message contains information > which may be legally confidential and or privileged and does not in > any case represent a firm ENERGY COMMODITY bid or offer relating > thereto which binds the sender without an additional express written > confirmation to that effect. The information is intended solely for > the individual or entity named above and access by anyone else is > unauthorized. If you are not the intended recipient, any disclosure, > copying, distribution, or use of the contents of this information is > prohibited and may be unlawful. If you have received this electronic > transmission in error, please reply immediately to the sender that > you have received the message in error, and delete it. Thank you. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Question About Properly Configuring DNS
> -Original Message- > From: Simo Sorce [mailto:s...@redhat.com] > Sent: Monday, October 27, 2014 12:30 PM > To: Trevor T Kates (Services - 6) > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Question About Properly Configuring DNS > > On Mon, 27 Oct 2014 14:07:42 + > "Trevor T Kates (Services - 6)" wrote: > > > Hi, all: > > > > I have four servers (two in one location, two in another) running IPA > > 3.0 set to replicate like so: > > > > Location A Server 1 - - - - - - - - Location B Server 1 > > || > > || > > || > > || > > Location A Server 2 - - - - - - - - Location B Server 2 > > > > Each server has DNS configured; however, I think I have configured > > something inappropriately with respect to authoritative records. > > > > I have eight zones configured and ipa dnszone-show for any one of > > them has Location B Server 1's name as authoritative. In each of the > > eight zones, I have added NS records for the other three servers. On > > all of the servers except Location B Server 1, /var/log/messages will > > show: > > > > client x.xxx.x.xxx#14366: received notify for zone > > 'x.xxx.x.in-addr.arpa': not authoritative > > > > This occurs for most, but not all, zones. Along with this: > > > > LDAP query timed out. Try to adjust "timeout" parameter > > update_record (psearch) failed, dn > > 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com' > > change type 0x0. Records can be outdated, run `rndc reload`: not found > > > > I feel like I've misconfigured a few things along the way and I'd > > love some help. Along with that if anyone has recommendations on > > things I should read to help me better understand what I should be > > doing with DNS, I'd appreciate it. > > Uhmm sounds like a bug in reloading the info in the bind ldap plugin. > > Can you restart named on one of the other servers and tell if the > warning goes away and/or if the client returns that server as > authoritative after the bounce ? > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York Upon restarting named, 'not authoritative' is not present for any of the zones and dig on clients shows all of the servers as authoritative. The restart of named did not always go cleanly, however. Sometimes, the same timeout issue as before would present itself. Should I not worry about those? Thanks for your help! Trevor T. Kates CONFIDENTIALITY NOTICE: This electronic message contains information which may be legally confidential and or privileged and does not in any case represent a firm ENERGY COMMODITY bid or offer relating thereto which binds the sender without an additional express written confirmation to that effect. The information is intended solely for the individual or entity named above and access by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] Question About Properly Configuring DNS
On Mon, 27 Oct 2014 14:07:42 + "Trevor T Kates (Services - 6)" wrote: > Hi, all: > > I have four servers (two in one location, two in another) running IPA > 3.0 set to replicate like so: > > Location A Server 1 - - - - - - - - Location B Server 1 > || > || > || > || > Location A Server 2 - - - - - - - - Location B Server 2 > > Each server has DNS configured; however, I think I have configured > something inappropriately with respect to authoritative records. > > I have eight zones configured and ipa dnszone-show for any one of > them has Location B Server 1's name as authoritative. In each of the > eight zones, I have added NS records for the other three servers. On > all of the servers except Location B Server 1, /var/log/messages will > show: > > client x.xxx.x.xxx#14366: received notify for zone > 'x.xxx.x.in-addr.arpa': not authoritative > > This occurs for most, but not all, zones. Along with this: > > LDAP query timed out. Try to adjust "timeout" parameter > update_record (psearch) failed, dn > 'idnsname=xxx,idnsname=x.xxx.xx.in-addr.arpa.,cn=dns,dc=example,dc=com' > change type 0x0. Records can be outdated, run `rndc reload`: not found > > I feel like I've misconfigured a few things along the way and I'd > love some help. Along with that if anyone has recommendations on > things I should read to help me better understand what I should be > doing with DNS, I'd appreciate it. Uhmm sounds like a bug in reloading the info in the bind ldap plugin. Can you restart named on one of the other servers and tell if the warning goes away and/or if the client returns that server as authoritative after the bounce ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
